Cloudera Docs

Migrating the Master Key from HSM to Ranger KMS DB

How to migrate the master key from Luna HSM to Ranger KMS DB.

  1. Go to the Ranger KMS directory.
    Example: 
    cd /opt/cloudera/parcels/CDH/lib/ranger-kms
  2. Export the below variables 
    export JAVA_HOME=/usr/java/jdk1.8.0_232-cloudera
    export RANGER_KMS_HOME=/opt/cloudera/parcels/CDH/lib/ranger-kms
  3. Get the active directiory for rangerkms process and copy the conf directory 
    ps -ef | grep rangerkms

    From the output of the above command, get the value of the rangerkms conf directory. 

    export RANGER_KMS_CONF=/var/run/cloudera-scm-agent/process/xxxx-ranger_kms-RANGER_KMS_SERVER/conf
export SQL_CONNECTOR_JAR=/opt/cloudera/cm/lib/postgresql-42.1.4.jre7.jar
  4. Get the active directory for rangerkms process and copy the active directory path. 
    ps -ef | grep rangerkms
  5. Open proc.json and get the value for HADOOP_CREDSTORE_PASSWORD 
    vim /var/run/cloudera-scm-agent/process/xxxx-ranger_kms-RANGER_KMS_SERVER/proc.json
export HADOOP_CREDSTORE_PASSWORD=hadoop_credstore_pwd
  6. Run the following command: 
    [root@os-mv-711-1 ranger-kms]# ${JAVA_HOME}/bin/java -cp "${RANGER_KMS_HOME}/cred/lib/*:${RANGER_KMS_CONF}:${RANGER_KMS_HOME}/ews/webapp/WEB-INF/classes/lib/*:${SQL_CONNECTOR_JAR}:${RANGER_KMS_HOME}/ews/webapp/config:${RANGER_KMS_HOME}/ews/lib/*:${RANGER_KMS_HOME}/ews/webapp/lib/*:${RANGER_KMS_HOME}/ews/webapp/META-INF:${RANGER_KMS_CONF}/*" org.apache.hadoop.crypto.key.HSM2DBMKUtil LunaProvider <partition-name>
  7. Run the following command: 
    ./HSMMK2DB.sh <provider> <HSM_PARTITION_NAME>
    Example : 
    ./HSMMK2DB.sh LunaProvider
  8. Enter the partition password when requested.
  9. Login to the database that Ranger KMS is using, and validate whether master key is successfully migrated.
    Example : If the Ranger KMS database is Postgres, then 
    su - postgres
psql 
Password : cloudera
\l
Find rangerkms db
                    
 \c rangerkms
 select * from ranger_masterkey;
  10. Login to CM and disable the HSM 
    ranger.ks.hsm.enabled = false
  11. Restart Ranger KMS.
  12. Delete the master key from the partition. 
    /usr/safenet/lunaclient/bin/
./lunacm
lunacm:>role login -n co
enter password: **********
lunacm:>par con
lunacm:>par clear
proceed